RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1142176 - Kerberos ticket is not renewed properly and BIND later deadlocks
Summary: Kerberos ticket is not renewed properly and BIND later deadlocks
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: bind-dyndb-ldap
Version: 6.6
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Petr Spacek
QA Contact: Namita Soman
URL:
Whiteboard:
Depends On: 1142150
Blocks: 1142152
TreeView+ depends on / blocked
 
Reported: 2014-09-16 09:59 UTC by Arpit Tolani
Modified: 2019-07-11 08:11 UTC (History)
7 users (show)

Fixed In Version: bind-dyndb-ldap-2.3-7.el6
Doc Type: Bug Fix
Doc Text:
The bind-dyndb-ldap library incorrectly compared current time and the expiration time of the Kerberos ticket used for authentication to an LDAP server. As a consequence, the Kerberos ticket was not renewed under certain circumstances, which caused the connection to the LDAP server to fail. The connection failure often happened after a BIND service reload was triggered by the logrotate utility. A patch has been applied to fix this bug, and Kerberos tickets are correctly renewed in this scenario.
Clone Of: 1142150
Environment:
Last Closed: 2015-07-22 05:39:02 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2015:1259 0 normal SHIPPED_LIVE bind-dyndb-ldap bug fix update 2015-07-20 17:49:53 UTC

Description Arpit Tolani 2014-09-16 09:59:12 UTC 
+++ This bug was initially created as a clone of Bug #1142150 +++

Description of problem:
bind hangs after reload/GSSAPI Error: The referenced context has expired (Success)

 After a while (about once in a week) the bind daemon is in the state hang/zombie. The bind daemon seems to be present and accept requests from the clients, but is not answering any dns requests. Only killing the process with kill -9 can stop the daemon. After starting bind again, it works fine, until the problem occurs again.

Version-Release number of selected component (if applicable):
bind-9.9.4-14.el7.x86_64

How reproducible:
Everytime Logrotates runs. 

Steps to Reproduce:
1. Configure IPA server with DNS
2. Wait till logrotate starts rotating. 

Additional info:
It is related to https://fedorahosted.org/bind-dyndb-ldap/ticket/131

--- Additional comment from Tomas Hozza on 2014-09-16 05:54:04 EDT ---

Thank you for your report.

I already discussed this issue with Petr Spacek and it should be pretty easy to fix it. It is an error in the dyndb patch adding API for bind-dyndb-ldap.

I'll talk to QA guys and try to get it into 7.1.
Comment 1 Petr Spacek 2014-09-16 10:11:45 UTC 
This problem is caused by two separate bugs: This one and bug 1142152. We need to fix both to completely solve the issue.
Comment 3 Petr Spacek 2014-09-16 17:30:02 UTC 
There is nothing private in this bug. Publicizing.
Comment 4 Petr Spacek 2014-09-16 18:37:02 UTC 
This problem is already fixed upstream, see commit https://fedorahosted.org/bind-dyndb-ldap/changeset/80f7663f309c0d0b9cb89ed8f8b38301b207360d/ .
Comment 6 Kaleem 2015-05-19 13:33:31 UTC 
Verified.

bind-dyndb-ldap version:
========================
bind-dyndb-ldap-2.3-7.el6.x86_64

snip from automation log:
=========================
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
:: [   LOG    ] :: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Adding a test dns A record (Expected 0, got 0)
:: [   PASS   ] :: Looking up for test record using dig (Expected 0, got 0)
:: [   PASS   ] :: Changing time one day ahead so lograte can happen (Expected 0, got 0)
:: [   PASS   ] :: Running logrotate forcefully (Expected 0, got 0)
:: [   LOG    ] :: logrotate ran successfully
:: [   PASS   ] :: Command 'ls -la /var/log/message*' (Expected 0, got 0)
:: [   PASS   ] :: Looking up for test record using dig after log rotate (Expected 0, got 0)
:: [   PASS   ] :: Resetting the date (Expected 0, got 0)
:: [   PASS   ] :: Deleting the test record (Expected 0, got 0)
:: [   PASS   ] :: Deleting generated log files (Expected 0, got 0)
:: [   LOG    ] :: Duration: 14s
:: [   LOG    ] :: Assertions: 10 good, 0 bad
:: [   PASS   ] :: RESULT: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks
Comment 7 Petr Spacek 2015-05-20 05:29:59 UTC 
Hello Kaleem,

please double-check that logrotate actually ran command 'rndc reload' (instead of 'service named restart'). I want to be 100 % sure that the bug was fixed properly. Thank you!
Comment 8 Kaleem 2015-05-21 06:33:09 UTC 
(In reply to Petr Spacek from comment #7)
> Hello Kaleem,
> 
> please double-check that logrotate actually ran command 'rndc reload'
> (instead of 'service named restart'). I want to be 100 % sure that the bug
> was fixed properly. Thank you!

As we have figured out that logroate runs "named reload" which calls up "rndc reload" also, so i have added a check for "named reload" in automation code.

:: [   LOG    ] :: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

:: [   LOG    ] :: kinit as admin with password xxxxxxxx was successful.
:: [   PASS   ] :: Kinit as admin user (Expected 0, got 0)
:: [   PASS   ] :: Adding a test dns A record (Expected 0, got 0)
:: [   PASS   ] :: Looking up for test record using dig (Expected 0, got 0)
:: [   PASS   ] :: Changing time one day ahead so lograte can happen (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   PASS   ] :: clearing the /var/log/messages file (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   PASS   ] :: Running logrotate forcefully (Expected 0, got 0)
:: [   PASS   ] :: Command 'sleep 60' (Expected 0, got 0)
:: [   LOG    ] :: logrotate ran successfully
:: [   PASS   ] :: Command 'ls -la /var/log/message*' (Expected 0, got 0)
:: [   PASS   ] :: File '/var/log/messages-20150521' should contain 'reloading zones succeeded' 
:: [   PASS   ] :: Looking up for test record using dig after log rotate (Expected 0, got 0)
:: [   PASS   ] :: Resetting the date (Expected 0, got 0)
:: [   PASS   ] :: Deleting the test record (Expected 0, got 0)
:: [   PASS   ] :: Deleting generated log files (Expected 0, got 0)
:: [   LOG    ] :: Duration: 3m 9s
:: [   LOG    ] :: Assertions: 15 good, 0 bad
:: [   PASS   ] :: RESULT: bz1142176: Kerberos ticket is not renewed properly and BIND later deadlocks
Comment 10 errata-xmlrpc 2015-07-22 05:39:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1259.html
Note You need to log in before you can comment on or make changes to this bug.